1 <?xml version='1.0'?> <!--*-nxml-*-->
2 <?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?>
3 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
4 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
7 This file is part of systemd.
9 Copyright 2010 Lennart Poettering
11 systemd is free software; you can redistribute it and/or modify it
12 under the terms of the GNU Lesser General Public License as published by
13 the Free Software Foundation; either version 2.1 of the License, or
14 (at your option) any later version.
16 systemd is distributed in the hope that it will be useful, but
17 WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
19 Lesser General Public License for more details.
21 You should have received a copy of the GNU Lesser General Public License
22 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 <refentry id="systemd.exec">
27 <title>systemd.exec</title>
28 <productname>systemd</productname>
32 <contrib>Developer</contrib>
33 <firstname>Lennart</firstname>
34 <surname>Poettering</surname>
35 <email>lennart@poettering.net</email>
41 <refentrytitle>systemd.exec</refentrytitle>
42 <manvolnum>5</manvolnum>
46 <refname>systemd.exec</refname>
47 <refpurpose>Execution environment configuration</refpurpose>
51 <para><filename>systemd.service</filename>,
52 <filename>systemd.socket</filename>,
53 <filename>systemd.mount</filename>,
54 <filename>systemd.swap</filename></para>
58 <title>Description</title>
60 <para>Unit configuration files for services, sockets,
61 mount points and swap devices share a subset of
62 configuration options which define the execution
63 environment of spawned processes.</para>
65 <para>This man page lists the configuration options
66 shared by these four unit types. See
67 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
68 for the common options of all unit configuration
70 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
71 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
72 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>
74 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
75 for more information on the specific unit
76 configuration files. The execution specific
77 configuration options are configured in the [Service],
78 [Socket], [Mount], or [Swap] sections, depending on the unit
83 <title>Options</title>
88 <term><varname>WorkingDirectory=</varname></term>
90 <listitem><para>Takes an absolute
91 directory path. Sets the working
92 directory for executed processes. If
93 not set defaults to the root directory
94 when systemd is running as a system
95 instance and the respective user's
96 home directory if run as
97 user.</para></listitem>
101 <term><varname>RootDirectory=</varname></term>
103 <listitem><para>Takes an absolute
104 directory path. Sets the root
105 directory for executed processes, with
107 <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>
108 system call. If this is used it must
109 be ensured that the process and all
110 its auxiliary files are available in
111 the <function>chroot()</function>
112 jail.</para></listitem>
116 <term><varname>User=</varname></term>
117 <term><varname>Group=</varname></term>
119 <listitem><para>Sets the Unix user
120 or group that the processes are executed
121 as, respectively. Takes a single user or group
122 name or ID as argument. If no group is
123 set, the default group of the user is
124 chosen.</para></listitem>
128 <term><varname>SupplementaryGroups=</varname></term>
130 <listitem><para>Sets the supplementary
131 Unix groups the processes are executed
132 as. This takes a space separated list
133 of group names or IDs. This option may
134 be specified more than once in which
135 case all listed groups are set as
136 supplementary groups. This option does
137 not override but extends the list of
138 supplementary groups configured in the
139 system group database for the
140 user.</para></listitem>
144 <term><varname>Nice=</varname></term>
146 <listitem><para>Sets the default nice
147 level (scheduling priority) for
148 executed processes. Takes an integer
149 between -20 (highest priority) and 19
150 (lowest priority). See
151 <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry>
152 for details.</para></listitem>
156 <term><varname>OOMScoreAdjust=</varname></term>
158 <listitem><para>Sets the adjustment
159 level for the Out-Of-Memory killer for
160 executed processes. Takes an integer
161 between -1000 (to disable OOM killing
162 for this process) and 1000 (to make
163 killing of this process under memory
164 pressure very likely). See <ulink
165 url="http://www.kernel.org/doc/Documentation/filesystems/proc.txt">proc.txt</ulink>
166 for details.</para></listitem>
170 <term><varname>IOSchedulingClass=</varname></term>
172 <listitem><para>Sets the IO scheduling
173 class for executed processes. Takes an
174 integer between 0 and 3 or one of the
175 strings <option>none</option>,
176 <option>realtime</option>,
177 <option>best-effort</option> or
178 <option>idle</option>. See
179 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
180 for details.</para></listitem>
184 <term><varname>IOSchedulingPriority=</varname></term>
186 <listitem><para>Sets the IO scheduling
187 priority for executed processes. Takes
188 an integer between 0 (highest
189 priority) and 7 (lowest priority). The
190 available priorities depend on the
191 selected IO scheduling class (see
193 <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry>
194 for details.</para></listitem>
198 <term><varname>CPUSchedulingPolicy=</varname></term>
200 <listitem><para>Sets the CPU
201 scheduling policy for executed
202 processes. Takes one of
203 <option>other</option>,
204 <option>batch</option>,
205 <option>idle</option>,
206 <option>fifo</option> or
207 <option>rr</option>. See
208 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
209 for details.</para></listitem>
213 <term><varname>CPUSchedulingPriority=</varname></term>
215 <listitem><para>Sets the CPU
216 scheduling priority for executed
217 processes. Takes an integer between 1
218 (lowest priority) and 99 (highest
219 priority). The available priority
220 range depends on the selected CPU
221 scheduling policy (see above). See
222 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
223 for details.</para></listitem>
227 <term><varname>CPUSchedulingResetOnFork=</varname></term>
229 <listitem><para>Takes a boolean
230 argument. If true elevated CPU
231 scheduling priorities and policies
232 will be reset when the executed
233 processes fork, and can hence not leak
234 into child processes. See
235 <citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
236 for details. Defaults to false.</para></listitem>
240 <term><varname>CPUAffinity=</varname></term>
242 <listitem><para>Controls the CPU
243 affinity of the executed
244 processes. Takes a space-separated
245 list of CPU indexes. See
246 <citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry>
247 for details.</para></listitem>
251 <term><varname>UMask=</varname></term>
253 <listitem><para>Controls the file mode
254 creation mask. Takes an access mode in
256 <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry>
257 for details. Defaults to
258 0022.</para></listitem>
262 <term><varname>Environment=</varname></term>
264 <listitem><para>Sets environment
265 variables for executed
266 processes. Takes a space-separated
267 list of variable assignments. This
268 option may be specified more than once
269 in which case all listed variables
270 will be set. If the same variable is
271 set twice the later setting will
272 override the earlier setting. See
273 <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
274 for details.</para></listitem>
277 <term><varname>EnvironmentFile=</varname></term>
278 <listitem><para>Similar to
279 <varname>Environment=</varname> but
280 reads the environment variables from a
281 text file. The text file should
282 contain new-line separated variable
283 assignments. Empty lines and lines
284 starting with ; or # will be ignored,
285 which may be used for commenting. The
286 parser strips leading and
287 trailing whitespace from the values
288 of assignments, unless you use
291 argument passed should be an absolute
292 file name, optionally prefixed with
293 "-", which indicates that if the file
294 does not exist it won't be read and no
295 error or warning message is
296 logged. The files listed with this
297 directive will be read shortly before
298 the process is executed. Settings from
299 these files override settings made
301 <varname>Environment=</varname>. If
302 the same variable is set twice from
303 these files the files will be read in
304 the order they are specified and the
305 later setting will override the
306 earlier setting. </para></listitem>
310 <term><varname>StandardInput=</varname></term>
311 <listitem><para>Controls where file
312 descriptor 0 (STDIN) of the executed
313 processes is connected to. Takes one
314 of <option>null</option>,
315 <option>tty</option>,
316 <option>tty-force</option>,
317 <option>tty-fail</option> or
318 <option>socket</option>. If
319 <option>null</option> is selected
320 standard input will be connected to
321 <filename>/dev/null</filename>,
322 i.e. all read attempts by the process
323 will result in immediate EOF. If
324 <option>tty</option> is selected
325 standard input is connected to a TTY
327 <varname>TTYPath=</varname>, see
328 below) and the executed process
329 becomes the controlling process of the
330 terminal. If the terminal is already
331 being controlled by another process the
332 executed process waits until the current
333 controlling process releases the
335 <option>tty-force</option>
336 is similar to <option>tty</option>,
337 but the executed process is forcefully
338 and immediately made the controlling
339 process of the terminal, potentially
340 removing previous controlling
342 terminal. <option>tty-fail</option> is
343 similar to <option>tty</option> but if
344 the terminal already has a controlling
345 process start-up of the executed
347 <option>socket</option> option is only
348 valid in socket-activated services,
349 and only when the socket configuration
351 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
352 for details) specifies a single socket
353 only. If this option is set standard
354 input will be connected to the socket
355 the service was activated from, which
356 is primarily useful for compatibility
357 with daemons designed for use with the
359 <citerefentry><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
360 daemon. This setting defaults to
361 <option>null</option>.</para></listitem>
364 <term><varname>StandardOutput=</varname></term>
365 <listitem><para>Controls where file
366 descriptor 1 (STDOUT) of the executed
367 processes is connected to. Takes one
368 of <option>inherit</option>,
369 <option>null</option>,
370 <option>tty</option>,
371 <option>syslog</option>,
372 <option>kmsg</option>,
373 <option>journal</option>,
374 <option>syslog+console</option>,
375 <option>kmsg+console</option>,
376 <option>journal+console</option> or
377 <option>socket</option>. If set to
378 <option>inherit</option> the file
379 descriptor of standard input is
380 duplicated for standard output. If set
381 to <option>null</option> standard
382 output will be connected to
383 <filename>/dev/null</filename>,
384 i.e. everything written to it will be
385 lost. If set to <option>tty</option>
386 standard output will be connected to a
387 tty (as configured via
388 <varname>TTYPath=</varname>, see
389 below). If the TTY is used for output
390 only the executed process will not
391 become the controlling process of the
392 terminal, and will not fail or wait
393 for other processes to release the
394 terminal. <option>syslog</option>
395 connects standard output to the
396 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
398 service. <option>kmsg</option>
399 connects it with the kernel log buffer
400 which is accessible via
401 <citerefentry><refentrytitle>dmesg</refentrytitle><manvolnum>1</manvolnum></citerefentry>. <option>journal</option>
402 connects it with the journal which is
404 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
405 (Note that everything that is written
406 to syslog or kmsg is implicitly stored
407 in the journal as well, those options
408 are hence supersets of this
409 one). <option>syslog+console</option>,
410 <option>journal+console</option> and
411 <option>kmsg+console</option> work
412 similarly but copy the output to the
414 well. <option>socket</option> connects
415 standard output to a socket from
416 socket activation, semantics are
417 similar to the respective option of
418 <varname>StandardInput=</varname>.
419 This setting defaults to the value set
421 <option>DefaultStandardOutput=</option>
423 <citerefentry><refentrytitle>systemd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
425 <option>journal</option>.</para></listitem>
428 <term><varname>StandardError=</varname></term>
429 <listitem><para>Controls where file
430 descriptor 2 (STDERR) of the executed
431 processes is connected to. The
432 available options are identical to
434 <varname>StandardOutput=</varname>,
435 with one exception: if set to
436 <option>inherit</option> the file
437 descriptor used for standard output is
438 duplicated for standard error. This
439 setting defaults to the value set with
440 <option>DefaultStandardError=</option>
442 <citerefentry><refentrytitle>systemd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
444 <option>inherit</option>.</para></listitem>
447 <term><varname>TTYPath=</varname></term>
448 <listitem><para>Sets the terminal
449 device node to use if standard input,
450 output or stderr are connected to a
451 TTY (see above). Defaults to
452 <filename>/dev/console</filename>.</para></listitem>
455 <term><varname>TTYReset=</varname></term>
456 <listitem><para>Reset the terminal
457 device specified with
458 <varname>TTYPath=</varname> before and
459 after execution. Defaults to
460 <literal>no</literal>.</para></listitem>
463 <term><varname>TTYVHangup=</varname></term>
464 <listitem><para>Disconnect all clients
465 which have opened the terminal device
467 <varname>TTYPath=</varname>
468 before and after execution. Defaults
470 <literal>no</literal>.</para></listitem>
473 <term><varname>TTYVTDisallocate=</varname></term>
474 <listitem><para>If the terminal
475 device specified with
476 <varname>TTYPath=</varname> is a
477 virtual console terminal try to
478 deallocate the TTY before and after
479 execution. This ensures that the
480 screen and scrollback buffer is
482 <literal>no</literal>.</para></listitem>
485 <term><varname>SyslogIdentifier=</varname></term>
486 <listitem><para>Sets the process name
487 to prefix log lines sent to syslog or
488 the kernel log buffer with. If not set
489 defaults to the process name of the
490 executed process. This option is only
492 <varname>StandardOutput=</varname> or
493 <varname>StandardError=</varname> are
494 set to <option>syslog</option> or
495 <option>kmsg</option>.</para></listitem>
498 <term><varname>SyslogFacility=</varname></term>
499 <listitem><para>Sets the syslog
500 facility to use when logging to
501 syslog. One of <option>kern</option>,
502 <option>user</option>,
503 <option>mail</option>,
504 <option>daemon</option>,
505 <option>auth</option>,
506 <option>syslog</option>,
507 <option>lpr</option>,
508 <option>news</option>,
509 <option>uucp</option>,
510 <option>cron</option>,
511 <option>authpriv</option>,
512 <option>ftp</option>,
513 <option>local0</option>,
514 <option>local1</option>,
515 <option>local2</option>,
516 <option>local3</option>,
517 <option>local4</option>,
518 <option>local5</option>,
519 <option>local6</option> or
520 <option>local7</option>. See
521 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
522 for details. This option is only
524 <varname>StandardOutput=</varname> or
525 <varname>StandardError=</varname> are
526 set to <option>syslog</option>.
528 <option>daemon</option>.</para></listitem>
531 <term><varname>SyslogLevel=</varname></term>
532 <listitem><para>Default syslog level
533 to use when logging to syslog or the
534 kernel log buffer. One of
535 <option>emerg</option>,
536 <option>alert</option>,
537 <option>crit</option>,
538 <option>err</option>,
539 <option>warning</option>,
540 <option>notice</option>,
541 <option>info</option>,
542 <option>debug</option>. See
543 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
544 for details. This option is only
546 <varname>StandardOutput=</varname> or
547 <varname>StandardError=</varname> are
548 set to <option>syslog</option> or
549 <option>kmsg</option>. Note that
550 individual lines output by the daemon
551 might be prefixed with a different log
552 level which can be used to override
553 the default log level specified
554 here. The interpretation of these
555 prefixes may be disabled with
556 <varname>SyslogLevelPrefix=</varname>,
557 see below. For details see
558 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
561 <option>info</option>.</para></listitem>
565 <term><varname>SyslogLevelPrefix=</varname></term>
566 <listitem><para>Takes a boolean
567 argument. If true and
568 <varname>StandardOutput=</varname> or
569 <varname>StandardError=</varname> are
570 set to <option>syslog</option>,
571 <option>kmsg</option> or
572 <option>journal</option>, log lines
573 written by the executed process that
574 are prefixed with a log level will be
575 passed on to syslog with this log
576 level set but the prefix removed. If
577 set to false, the interpretation of
578 these prefixes is disabled and the
579 logged lines are passed on as-is. For
580 details about this prefixing see
581 <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
582 Defaults to true.</para></listitem>
586 <term><varname>TimerSlackNSec=</varname></term>
587 <listitem><para>Sets the timer slack
588 in nanoseconds for the executed
589 processes. The timer slack controls
590 the accuracy of wake-ups triggered by
592 <citerefentry><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
593 for more information. Note that in
594 contrast to most other time span
595 definitions this parameter takes an
596 integer value in nano-seconds if no
597 unit is specified. The usual time
599 too.</para></listitem>
603 <term><varname>LimitCPU=</varname></term>
604 <term><varname>LimitFSIZE=</varname></term>
605 <term><varname>LimitDATA=</varname></term>
606 <term><varname>LimitSTACK=</varname></term>
607 <term><varname>LimitCORE=</varname></term>
608 <term><varname>LimitRSS=</varname></term>
609 <term><varname>LimitNOFILE=</varname></term>
610 <term><varname>LimitAS=</varname></term>
611 <term><varname>LimitNPROC=</varname></term>
612 <term><varname>LimitMEMLOCK=</varname></term>
613 <term><varname>LimitLOCKS=</varname></term>
614 <term><varname>LimitSIGPENDING=</varname></term>
615 <term><varname>LimitMSGQUEUE=</varname></term>
616 <term><varname>LimitNICE=</varname></term>
617 <term><varname>LimitRTPRIO=</varname></term>
618 <term><varname>LimitRTTIME=</varname></term>
619 <listitem><para>These settings control
620 various resource limits for executed
622 <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>
623 for details. Use the string
624 <varname>infinity</varname> to
625 configure no limit on a specific
626 resource.</para></listitem>
630 <term><varname>PAMName=</varname></term>
631 <listitem><para>Sets the PAM service
632 name to set up a session as. If set
633 the executed process will be
634 registered as a PAM session under the
635 specified service name. This is only
636 useful in conjunction with the
637 <varname>User=</varname> setting. If
638 not set no PAM session will be opened
639 for the executed processes. See
640 <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
641 for details.</para></listitem>
645 <term><varname>TCPWrapName=</varname></term>
646 <listitem><para>If this is a
647 socket-activated service this sets the
648 tcpwrap service name to check the
649 permission for the current connection
650 with. This is only useful in
651 conjunction with socket-activated
652 services, and stream sockets (TCP) in
653 particular. It has no effect on other
654 socket types (e.g. datagram/UDP) and
655 on processes unrelated to socket-based
656 activation. If the tcpwrap
657 verification fails daemon start-up
658 will fail and the connection is
660 <citerefentry><refentrytitle>tcpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
661 for details. Note that this option may
662 be used to do access control checks
663 only. Shell commands and commands
665 <citerefentry><refentrytitle>hosts_options</refentrytitle><manvolnum>5</manvolnum></citerefentry>
666 are not supported.</para></listitem>
670 <term><varname>CapabilityBoundingSet=</varname></term>
672 <listitem><para>Controls which
673 capabilities to include in the
674 capability bounding set for the
675 executed process. See
676 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
677 for details. Takes a whitespace
678 separated list of capability names as
680 <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
681 Capabilities listed will be included
682 in the bounding set, all others are
683 removed. If the list of capabilities
684 is prefixed with ~ all but the listed
685 capabilities will be included, the
686 effect of the assignment
687 inverted. Note that this option also
688 effects the respective capabilities in
689 the effective, permitted and
690 inheritable capability sets, on top of
691 what <varname>Capabilities=</varname>
692 does. If this option is not used the
693 capability bounding set is not
694 modified on process execution, hence
695 no limits on the capabilities of the
697 enforced.</para></listitem>
701 <term><varname>SecureBits=</varname></term>
702 <listitem><para>Controls the secure
703 bits set for the executed process. See
704 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
705 for details. Takes a list of strings:
706 <option>keep-caps</option>,
707 <option>keep-caps-locked</option>,
708 <option>no-setuid-fixup</option>,
709 <option>no-setuid-fixup-locked</option>,
710 <option>noroot</option> and/or
711 <option>noroot-locked</option>.
716 <term><varname>Capabilities=</varname></term>
717 <listitem><para>Controls the
718 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
719 set for the executed process. Take a
720 capability string describing the
721 effective, permitted and inherited
722 capability sets as documented in
723 <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
724 Note that these capability sets are
725 usually influenced by the capabilities
726 attached to the executed file. Due to
728 <varname>CapabilityBoundingSet=</varname>
729 is probably the much more useful
730 setting.</para></listitem>
734 <term><varname>ControlGroup=</varname></term>
736 <listitem><para>Controls the control
737 groups the executed processes shall be
738 made members of. Takes a
739 space-separated list of cgroup
740 identifiers. A cgroup identifier has a
742 <filename>cpu:/foo/bar</filename>,
743 where "cpu" identifies the kernel
744 control group controller used, and
745 <filename>/foo/bar</filename> is the
746 control group path. The controller
747 name and ":" may be omitted in which
748 case the named systemd control group
749 hierarchy is implied. Alternatively,
750 the path and ":" may be omitted, in
751 which case the default control group
752 path for this unit is implied. This
753 option may be used to place executed
754 processes in arbitrary groups in
755 arbitrary hierarchies -- which can be
756 configured externally with additional
757 execution limits. By default systemd
758 will place all executed processes in
759 separate per-unit control groups
760 (named after the unit) in the systemd
761 named hierarchy. Since every process
762 can be in one group per hierarchy only
763 overriding the control group path in
764 the named systemd hierarchy will
765 disable automatic placement in the
766 default group. This option is
767 primarily intended to place executed
768 processes in specific paths in
769 specific kernel controller
770 hierarchies. It is however not
771 recommended to manipulate the service
772 control group path in the systemd
773 named hierarchy. For details about
774 control groups see <ulink
775 url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt</ulink>.</para></listitem>
779 <term><varname>ControlGroupModify=</varname></term>
780 <listitem><para>Takes a boolean
781 argument. If true, the control groups
782 created for this unit will be owned by
783 the user specified with
784 <varname>User=</varname> (and the
785 appropriate group), and he/she can create
786 subgroups as well as add processes to
787 the group.</para></listitem>
791 <term><varname>ControlGroupPersistent=</varname></term>
792 <listitem><para>Takes a boolean
793 argument. If true, the control groups
794 created for this unit will be marked
795 to be persistent, i.e. systemd will
796 not remove them when stopping the
797 unit. The default is false, meaning
798 that the control groups will be
799 removed when the unit is stopped. For
800 details about the semantics of this
802 url="http://www.freedesktop.org/wiki/Software/systemd/PaxControlGroups">PaxControlGroups</ulink>.</para></listitem>
806 <term><varname>ControlGroupAttribute=</varname></term>
808 <listitem><para>Set a specific control
809 group attribute for executed
810 processes, and (if needed) add the
811 executed processes to a cgroup in the
812 hierarchy of the controller the
813 attribute belongs to. Takes two
814 space-separated arguments: the
815 attribute name (syntax is
816 <literal>cpu.shares</literal> where
817 <literal>cpu</literal> refers to a
818 specific controller and
819 <literal>shares</literal> to the
820 attribute name), and the attribute
822 <literal>ControlGroupAttribute=cpu.shares
823 512</literal>. If this option is used
824 for an attribute that belongs to a
825 kernel controller hierarchy the unit
826 is not already configured to be added
827 to (for example via the
828 <literal>ControlGroup=</literal>
829 option) then the unit will be added to
830 the controller and the default unit
831 cgroup path is implied. Thus, using
832 <varname>ControlGroupAttribute=</varname>
833 is in most case sufficient to make use
834 of control group enforcements,
836 <varname>ControlGroup=</varname> are
837 only necessary in case the implied
838 default control group path for a
839 service is not desirable. For details
840 about control group attributes see
842 url="http://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups.txt</ulink>. This
843 option may appear more than once, in
844 order to set multiple control group
845 attributes.</para></listitem>
849 <term><varname>CPUShares=</varname></term>
851 <listitem><para>Assign the specified
852 overall CPU time shares to the
853 processes executed. Takes an integer
854 value. This controls the
855 <literal>cpu.shares</literal> control
856 group attribute, which defaults to
857 1024. For details about this control
858 group attribute see <ulink
859 url="http://www.kernel.org/doc/Documentation/scheduler/sched-design-CFS.txt">sched-design-CFS.txt</ulink>.</para></listitem>
863 <term><varname>MemoryLimit=</varname></term>
864 <term><varname>MemorySoftLimit=</varname></term>
866 <listitem><para>Limit the overall memory usage
867 of the executed processes to a certain
868 size. Takes a memory size in bytes. If
869 the value is suffixed with K, M, G or
870 T the specified memory size is parsed
871 as Kilobytes, Megabytes, Gigabytes,
872 or Terabytes (to the base
873 1024), respectively. This controls the
874 <literal>memory.limit_in_bytes</literal>
876 <literal>memory.soft_limit_in_bytes</literal>
877 control group attributes. For details
878 about these control group attributes
880 url="http://www.kernel.org/doc/Documentation/cgroups/memory.txt">memory.txt</ulink>.</para></listitem>
884 <term><varname>DeviceAllow=</varname></term>
885 <term><varname>DeviceDeny=</varname></term>
887 <listitem><para>Control access to
888 specific device nodes by the executed processes. Takes two
889 space separated strings: a device node
891 <filename>/dev/null</filename>)
892 followed by a combination of r, w, m
893 to control reading, writing, or
894 creating of the specific device node
895 by the unit, respectively. This controls the
896 <literal>devices.allow</literal>
898 <literal>devices.deny</literal>
899 control group attributes. For details
900 about these control group attributes
902 url="http://www.kernel.org/doc/Documentation/cgroups/devices.txt">devices.txt</ulink>.</para></listitem>
906 <term><varname>BlockIOWeight=</varname></term>
908 <listitem><para>Set the default or
909 per-device overall block IO weight
910 value for the executed
911 processes. Takes either a single
912 weight value (between 10 and 1000) to
913 set the default block IO weight, or a
914 space separated pair of a file path
915 and a weight value to specify the
916 device specific weight value (Example:
917 "/dev/sda 500"). The file path may be
918 specified as path to a block device
919 node or as any other file in which
920 case the backing block device of the
921 file system of the file is
922 determined. This controls the
923 <literal>blkio.weight</literal> and
924 <literal>blkio.weight_device</literal>
925 control group attributes, which
926 default to 1000. Use this option
927 multiple times to set weights for
928 multiple devices. For details about
929 these control group attributes see
931 url="http://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt">blkio-controller.txt</ulink>.</para></listitem>
935 <term><varname>BlockIOReadBandwidth=</varname></term>
936 <term><varname>BlockIOWriteBandwidth=</varname></term>
938 <listitem><para>Set the per-device
939 overall block IO bandwidth limit for
940 the executed processes. Takes a space
941 separated pair of a file path and a
942 bandwidth value (in bytes per second)
943 to specify the device specific
944 bandwidth. The file path may be
945 specified as path to a block device
946 node or as any other file in which
947 case the backing block device of the
948 file system of the file is determined.
949 If the bandwidth is suffixed with K, M,
950 G, or T the specified bandwidth is
951 parsed as Kilobytes, Megabytes,
952 Gigabytes, or Terabytes, respectively (Example:
953 "/dev/disk/by-path/pci-0000:00:1f.2-scsi-0:0:0:0
954 5M"). This controls the
955 <literal>blkio.read_bps_device</literal>
957 <literal>blkio.write_bps_device</literal>
958 control group attributes. Use this
959 option multiple times to set bandwidth
960 limits for multiple devices. For
961 details about these control group
962 attributes see <ulink
963 url="http://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt">blkio-controller.txt</ulink>.</para></listitem>
967 <term><varname>ReadWriteDirectories=</varname></term>
968 <term><varname>ReadOnlyDirectories=</varname></term>
969 <term><varname>InaccessibleDirectories=</varname></term>
971 <listitem><para>Sets up a new
972 file-system name space for executed
973 processes. These options may be used
974 to limit access a process might have
975 to the main file-system
976 hierarchy. Each setting takes a
977 space-separated list of absolute
978 directory paths. Directories listed in
979 <varname>ReadWriteDirectories=</varname>
980 are accessible from within the
981 namespace with the same access rights
982 as from outside. Directories listed in
983 <varname>ReadOnlyDirectories=</varname>
984 are accessible for reading only,
985 writing will be refused even if the
986 usual file access controls would
987 permit this. Directories listed in
988 <varname>InaccessibleDirectories=</varname>
989 will be made inaccessible for processes
990 inside the namespace. Note that
991 restricting access with these options
992 does not extend to submounts of a
993 directory. You must list submounts
994 separately in these settings to
995 ensure the same limited access. These
996 options may be specified more than
997 once in which case all directories
998 listed will have limited access from
1000 namespace.</para></listitem>
1004 <term><varname>PrivateTmp=</varname></term>
1006 <listitem><para>Takes a boolean
1007 argument. If true sets up a new file
1008 system namespace for the executed
1009 processes and mounts a private
1010 <filename>/tmp</filename> directory
1011 inside it, that is not shared by
1012 processes outside of the
1013 namespace. This is useful to secure
1014 access to temporary files of the
1015 process, but makes sharing between
1017 <filename>/tmp</filename>
1018 impossible. Defaults to
1019 false.</para></listitem>
1023 <term><varname>PrivateNetwork=</varname></term>
1025 <listitem><para>Takes a boolean
1026 argument. If true sets up a new
1027 network namespace for the executed
1028 processes and configures only the
1029 loopback network device
1030 <literal>lo</literal> inside it. No
1031 other network devices will be
1032 available to the executed process.
1033 This is useful to securely turn off
1034 network access by the executed
1035 process. Defaults to
1036 false.</para></listitem>
1040 <term><varname>MountFlags=</varname></term>
1042 <listitem><para>Takes a mount
1044 <option>shared</option>,
1045 <option>slave</option> or
1046 <option>private</option>, which
1047 control whether the file system
1048 namespace set up for this unit's
1049 processes will receive or propagate
1051 <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>1</manvolnum></citerefentry>
1052 for details. Default to
1053 <option>shared</option>.</para></listitem>
1057 <term><varname>UtmpIdentifier=</varname></term>
1059 <listitem><para>Takes a four
1060 character identifier string for an
1061 utmp/wtmp entry for this service. This
1062 should only be set for services such
1063 as <command>getty</command>
1064 implementations where utmp/wtmp
1065 entries must be created and cleared
1066 before and after execution. If the
1067 configured string is longer than four
1068 characters it is truncated and the
1069 terminal four characters are
1070 used. This setting interprets %I style
1071 string replacements. This setting is
1072 unset by default, i.e. no utmp/wtmp
1073 entries are created or cleaned up for
1074 this service.</para></listitem>
1078 <term><varname>IgnoreSIGPIPE=</varname></term>
1080 <listitem><para>Takes a boolean
1081 argument. If true causes SIGPIPE to be
1082 ignored in the executed
1083 process. Defaults to true, since
1084 SIGPIPE generally is useful only in
1085 shell pipelines.</para></listitem>
1089 <term><varname>NoNewPrivileges=</varname></term>
1091 <listitem><para>Takes a boolean
1092 argument. If true ensures that the
1093 service process and all its children
1094 can never gain new privileges. This
1095 option is more powerful than the respective
1096 secure bits flags (see above), as it
1097 also prohibits UID changes of any
1098 kind. This is the simplest, most
1099 effective way to ensure that a process
1100 and its children can never elevate
1101 privileges again.</para></listitem>
1105 <term><varname>SystemCallFilter=</varname></term>
1107 <listitem><para>Takes a space
1108 separated list of system call
1109 names. If this setting is used all
1110 system calls executed by the unit
1111 process except for the listed ones
1112 will result in immediate process
1113 termination with the SIGSYS signal
1114 (whitelisting). If the first character
1115 of the list is <literal>~</literal>
1116 the effect is inverted: only the
1117 listed system calls will result in
1118 immediate process termination
1119 (blacklisting). If this option is used
1120 <varname>NoNewPrivileges=yes</varname>
1121 is implied. This feature makes use of
1122 the Secure Computing Mode 2 interfaces
1123 of the kernel ('seccomp filtering')
1124 and is useful for enforcing a minimal
1125 sandboxing environment. Note that the
1126 <function>execve</function>,
1127 <function>rt_sigreturn</function>,
1128 <function>sigreturn</function>,
1129 <function>exit_group</function>,
1130 <function>exit</function> system calls
1131 are implicitly whitelisted and don't
1133 explicitly.</para></listitem>
1140 <title>See Also</title>
1142 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1143 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
1144 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
1145 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1146 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1147 <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1148 <citerefentry><refentrytitle>systemd.swap</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1149 <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1150 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>